trace2syz has trouble generating structs like sockaddr_storage_in6 which are
wrappers around other structs like sockaddr_in6 because strace just decodes the
wrapped struct (sockaddr_in6). This causes trace2syz to generate the addr field
of sockaddr_storage_in6 from the af_family field of sockaddr_in6 which triggers
an error. We now try and detect these cases and recursively generate the struct.
Right now syzkaller only supports coverage collected from the threads that
execute syscalls. However some useful things happen in background threads,
and it would be nice to collect coverage from those threads as well.
This change adds extra coverage support to syzkaller. This coverage is not
associated with a particular syscall, but rather with the whole program.
Executor passes extra coverage over the same ipc mechanism to syz-fuzzer
with syscall number set to -1. syz-fuzzer then passes this coverage to
syz-manager with the call name "extra".
This change requires the following kcov patch:
https://github.com/xairy/linux/pull/2
Add support to accurately select variants for open and openat system calls.
This is needed because in order to accurately select ioctl variants we need
to use device resource types. The device resource types can only be created
by syz_open_dev and openat variants.
Disable qemu VGA output on ppc64le. The current pseries console code in
the kernel has a bunch of bugs, and if you don't disable VGA syzkaller
won't see console output.
Signed-off-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
ppc64le supports KVM, let's use it.
This obviously won't work on an x86 host, but at present there are issues
using syzkaller on ppc64le with qemu in TCG mode anyway.
Signed-off-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
Add a regex for syscall symbol extraction on ppc64le. ppc64le doesn't have
any special arch prefix.
Signed-off-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
genSockaddrStorage() determines the correct sockaddr_storage union option when we
cannot identify the system call variant. We used to have custom logic per system
call which was not tested and is actually unnecessary. This patch deletes that
code and adds a test to make sure there are no regressions.
Oops messages frequently induce possible deadlock reports
because oops reporting introduces unexpected locking chains.
So if we have enough of the actual oops, strip the deadlock message.
Oops messages frequently induce possible deadlock reports
because oops reporting introduces unexpected locking chains.
So if we have enough of the actual oops, strip the deadlock message.
NetBSD uses different uid/gid than FreeBSD/OpenBSD for the user
nobody. Instead of hardcoding the values, retrieve it from the
password entry database.
While there, switch to setuid(2) and setgid(2) calls as they are
good enough and portable. setresgid(2) and setresuid(2) aren't
available on NetBSD.
strace incorrectly printed sin6_addr before sin6_flowinfo. To fix this,
trace2syz added reorderStructFields() which swapped back the order. Incorrect
orderings of structs is a bug in strace or in our descriptions so we should
fix the source rather than work around. We have submitted a patch to fix the
sockaddr_in6 decoding in strace so we can safely delete this function.
strace decodes certain arguments like sockaddr_in.sin_port or sin_addr
as hex strings under -Xraw. This is because the arguments are in network byte
order. This patch supports converting those hex strings to int args if the size
of the string is 1, 2, 4, or 8.
rand_addr option is the first option for the ipv6_addr union
and is just an array of 16 bytes. This option makes it easy
for trace2syz to convert ipv6 address as strace decodes
the ipv6 address as a hex string.
Initialize syz data segment with protection allowed by PaX MPROTECT.
PROT_MPROTECT() registers future potential protection that is allowed
to be enabled in future.
Right now syz-fuzzer does a search through /proc/kallsyms for each syscall
to check whether it's supported. Do one search instead and save the results
to a map. This speeds up syscall detection ~60 times when testing arm64 kernel
on x86. Also add another search pattern for arm64 and add some logging.
